From 80c024c4aaca39c458ef04218213ac02dfc20e43 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 7 Oct 2014 09:52:15 -0700 Subject: [PATCH] Amplify the 4.6.4 SAVE_IPSETS changes in the ipset article Signed-off-by: Tom Eastep --- docs/ipsets.xml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/docs/ipsets.xml b/docs/ipsets.xml index bc15bbd62..af3b1058c 100644 --- a/docs/ipsets.xml +++ b/docs/ipsets.xml @@ -159,6 +159,17 @@ ACCEPT net:+sshok $FW tcp 22 setting SAVE_IPSETS to a comma-separated list of ipset names. You can also restrict the group of sets saved to ipv4 sets by setting SAVE_IPSETS=ipv4. + + With Shorewall 4.6.4, the SAVE_IPSETS option may specify a list of + ipsets to be saved. When such a list is specified, only those ipsets + together with the ipsets supporting dynamic zones are saved. Shorewall6 + support for the SAVE_IPSETS option was also added in 4.6.4. When + SAVE_IPSETS=Yes in shorewall6.conf(5), only ipv6 + ipsets are saved. For Shorewall, if SAVE_IPSETS=ipv4 in shorewall.conf(5), then only + ipv4 ipsets are saved. Both features require ipset version 5 or + later.
@@ -169,7 +180,7 @@ ACCEPT net:+sshok $FW tcp 22 Beginning with Shorewall 4.6.4, SAVE_IPSETS is available in shorewall6-conf(5). When set to Yes, the ipv6 ipsets will be set. You can also save selective ipsets by - setting SAVE_IPSETS to a comma-separated list of ipset names. + setting SAVE_IPSETS to a comma-separated list of ipset names. Prior to Shorewall 4.6.4, SAVE_IPSETS=Yes in shorewall.conf won't work correctly because it saves both IPv4 and IPv6 ipsets. To work around